September 7, 2016 By Laurène Hummer 4 min read

In May 2016, the National Institute of Standards and Technology (NIST) published a guideline recommending the depreciation of SMS authentication as a second factor for strong authentication.

Many news outlets and security blogs have discussed the issue since then, expressing vastly different takes on the matter. I decided to ask two IBM authentication experts, Dustin Hoff and Ashish Malhotra, for their recommendations.

IBM Experts Weigh In on SMS Authentication

Question: Let’s level set on the basics — what is an SMS one-time password (OTP)?

Malhotra: In SMS-based two-factor authentication (2FA), a user must confirm the intended login or transaction by entering an OTP sent to their mobile phone — typically, a four- to eight-digit numerical code. This authentication method was once believed to protect against man-in-the-middle (MitM) attacks until security professionals realized that text messages can be intercepted by fraudsters just as easily.

How can a SMS OTP be compromised?

Malhotra: If a mobile phone is compromised because its user unwittingly downloaded malware onto it, a fraudster can simply command the malware to monitor text messages, including those containing OTPs, on that phone. Many phones are susceptible to Trojans like Zeus, Zitmo, Citadel and Perkele, which leverage open access to SMS on mobile phones specifically to intercept OTPs.

Many of these Trojans are targeting SMS OTPs, mobile SIM swaps, SIM clones, number porting attacks, fake caller ID and call forwarding scams operated by dishonest customer service representatives at mobile carriers. All of these exploit insecure SMS networks and erode misplaced trust in the channel.

Watch the on-Demand Webinar: Five Steps to Overcome Customer Authentication Chaos

What about for users whose phones haven’t been corrupted by malware? Is SMS OTP safe then?

Malhotra: The security of SMS authentication relies on the security of cellular networks, and with the attacks against Global System for Mobile Communications (GSM) and 3G networks, the confidentiality of text messages cannot be assured. Since encryption is not applied to short message transmission by default, messages could be intercepted and snooped during transmission, even if the receiving device wasn’t infected by malware.

In addition, SMS messages are stored as plaintext by the short message service center (SMSC) before they are successfully delivered to the intended recipient. These messages could be viewed or amended by users in the SMSC who have access to the messaging system. Spying programs such as FlexiSpy enable intruders to automatically record all incoming and outgoing SMS messages and then upload the logs to a remote server for later viewing and analysis.

How are companies reacting to these threats?

Hoff: Despite these security issues, using SMS OTP as a second factor is still better than simply relying on the username/password combo. For this reason, most companies haven’t urgently migrated to other authentication methods.

However, I would expect this migration to take place over time. As smart devices become more and more ubiquitous, myriad new authentication methods will become available. From push-to-approve to biometrics, such as fingerprint scans, retina scans or even voice recognition, safer and more convenient choices will make it easy to do away with SMS OTP.

Malhotra: If we look at companies worldwide, we see that different geographies are at different stages of the authentication journey. South Africa was one of the first markets to move wholesale to SMS OTPs. Today, a large majority of banks there have dropped them in favor of safer, more convenient out-of-band authentication solutions centered on the mobile phone. European banks are fast dropping the technology, too. The technology is still very prevalent in North America, though we see that changing little by little.

Many banks, apps and other consumer-facing services use SMS OTP as a second factor. What’s a private consumer to do?

Hoff: As an end user of secure online services, you can immediately take a few steps to help protect yourself.

To start, you should ensure that you follow strong password guidelines and enable two-factor authentication on all services that support it, including Google, Apple and many others. While this sounds easy, you would be surprised to find how many people don’t take this seemingly simple step.

Next, check to see if your service provider offers alternatives to SMS authentication that you can start using today. For example, many services use a solution like the Google Authenticator that relies on open standards for secure OTPs. Other providers, such as Apple, have more recently started offering OTPs via push notification in order to bypass SMS delivery. There are also multiple vendors that sell relatively low-cost, standards-based, bring-your-own-authenticator hardware tokens, which can provide extra security for a variety of online services.

Finally, regardless of your chosen multifactor authentication method, ensure that you follow good mobile security practices.

What about enterprise use cases? What’s the right authentication strategy for employees, partners, contractors or even customers?

Hoff: As service providers and enterprises, you must also consider the NIST recommendations as part of your larger IAM and online security strategy. Changes may have a large impact to your users and could require additional investment, so it is important to take a thoughtful approach.

To start, remember that SMS-based two-factor authentication is still better than traditional usernames/passwords. Billions of SMS messages are exchanged each day, and while only a fraction of these are OTPs, the system is not going away overnight.

Looking ahead, it’s a good idea to understand the risk associated with different segments of your user population. For example, high-volume users on an online marketplace might be more valuable to your service and therefore pose a greater risk to your business if they are compromised. Once you understand the risk levels associated with different user segments, you can prioritize the implementation of newer, more secure authentication mechanisms.

The third step is to investigate innovations and new technologies for authentication and web access management solutions. While there is no silver bullet, vendors continue to add new functionality in this space to help enterprises and end users alike secure their online activity.

To learn more, watch the on-demand webinar, “Five Steps to Overcome Customer Authentication Chaos.”

More from Identity & Access

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today